Information Security Basics

When considering the basics of information and cyber security, it’s sometimes tempting to think that we are in the group that are ‘too smart’ to be fooled by anything as a simple phishing email. Perhaps this failure of imagination is in part because of the stereotypical, early days of the internet ‘scammer’ emails we tend to remember and joke about.

The reality is that phishing emails are still an enormous problem, not only for individuals but organisations too, with around 32% of all breaches still involving phishing, and user negligence playing a significant role in these incidents.

With 60% of small businesses closing their doors within six months of an attack and the average cost soaring to over £4,000, we’ve put together this anti-phishing training guide to get you started in identifying risks and raising awareness about the persistent threat that phishing attacks pose to SMEs like yours.

The Facts

43% of breaches involved small business victims

We may think of large organisations as being more lucrative targets for hackers and attackers, and although breaches can cost large businesses far more on average, SMEs represent a significant proportion of victims.

Only 32% of small businesses have cyber security policies

Despite the huge number of high-profile hacks and breaches that the last several years have seen, most small businesses lack a set of defined cyber security policies. Without these basic measures, an organisation opens themselves up to all kinds of problems, including issues of compliance, fines, breaches and more.

77% of all UK workers have never received any form of information security training from their employer

One of the major indications that industry still has a long way to go in terms of effective information security, is the fact that only 33% of UK workers have received any employer training in this area. Whilst taking into consideration the frequency with which employees routinely handle sensitive and personal information, it is surprising that businesses are so reluctant to invest in critical training. 

Defending Against Phishing Attacks

There’s no denying that systems, spam filters and firewalls can all play an important role in protecting an organisation from phishing threats. Despite being necessary, without informed and vigilant users these protections are never going to be a perfect solution to information security attacks.

Part of any effective information security training program is giving users the understanding and tools to defend themselves. Here are some of the key elements users need to be aware of to detect phishing attacks:

Addresses

It may seem obvious, although taking a moment to check and double-check the address from which an email is coming can be extremely effective in detecting phishing emails. The most blatant of phishing emails may use non-sensical or gibberish addresses, however more sophisticated phishers can employee subtle tricks to obfuscate an email’s nefarious purpose.

This may employ the substituting an ‘I’ for a ‘l’ or including an expected domain elsewhere in the address (shipment-tracking-amazon@gmail.co.uk instead of shipment-tracking@amazon.co.uk). At a glance, these addresses can appear legitimate, but if an email is requesting you take any action, such as logging in, making a transfer or giving up sensitive information, addresses should be given extra attention and confirmation.

Urgency

Many phishing attacks attempt to implore a sense of urgency to the user. Terms such as ‘ASAP’ or ‘URGENT’ used in the subject line, or in the body of the text, can to some seem relatively innocuous, but phishers use these tactics to motivate users into making poorly considered ‘snap’ decisions.

Undoubtedly, you will occasionally receive legitimately urgent correspondence, and we certainly don’t recommend they be ignored; only that when urgency is conferred, users take the time to confirm requests are legitimate. Particularly in cases of monetary transfers, which should ideally be confirmed by the party via a separate channel (e.g. over the phone).

Attachments

Many of us hold positions that require us to regularly send and receive information, much of which likely comes in the form of email attachments. Alhough there is nothing inherently wrong with this, attachments pose a significant information security risk when users are not certain about what they’re opening.

Like addresses, users should be particularly wary of strange or non-sensical file names, but the most important thing to consider when examining an attachment is file type. Given that different file types pose different risks, you should be especially wary of files ending in .exe or any file types you don’t recognise. The attacker may try to disguise this by putting a widely used file ‘type’ just before it; for instance “.pdf.exe”.

As with all these anti-phishing training techniques, taking that extra moment to check and verify the legitimacy of communications can avert serious information security incidents.

Links

One of the most common techniques phishers use to extract sensitive information is by directing users to inauthentic pages designed to mimic legitimate and recognisable companies. These addresses are often obfuscated within emails, meaning before following a link, users should first inspect the URL or find an alternative route to the page.

Phishers and scammers can go to great lengths to build extremely convincing phishing pages designed to capture account login information, so just because a site looks correct, doesn’t necessarily mean it is legitimate.

*It should also be noted that when using mobile browsers, users should be wary as URLs are typically truncated because of the smaller screen, and inauthentic URLs may be less obvious.

Simulated Phishing Training

Only seven years ago, the user click rate for phishing emails was a whopping 25%, a figure which has fallen dramatically to around 3%. Although an obvious step in the right direction, with the risk that phishing poses to SMEs, alongside the frequency with which phishing attacks are sent, empowering employees to identify attacks is paramount.

Phishing simulations are a method by which an organisation sends its own employees’ suspicious emails to both measure user interaction, as well as educate about the risks of accidentally clicking on dangerous emails, links and attachments.

Rather than being used as a metric by which to punish employees, having access to quantifiable information regarding potential vulnerabilities allows an organisation to begin the process of improving behaviour, and of creating an effective secure culture.

Interactive and Engaging Information Security Training

By educating your staff regularly with interactive and knowledge-demonstrating tutorials, you don’t just help to improve compliance, but also reliably reduce the risks of human errors and change the standards of awareness.

Interactive and engaging awareness training, phishing simulator and learning management system.

As well as enabling employers to launch simulated phishing campaigns, Hut Six training features twenty-six comprehensive tutorials covering all aspects of information and cyber security.

Focused on demonstrating learning outcomes, with Hut Six’s learning management system (LMS), employers can assess and track the achievements of staff and better understand areas for improvement. Hut Six’s comprehensive solution builds a security aware culture by focusing on achieving meaningful behavioural change.

If you have found this Anti-Phishing Training Guide useful and you’d like to learn more about how you can protect and strengthen your business with unique and engaging information security awareness training, get in touch below.


Ready to get started?

Create your free demo

Getting started is simple click the green button to begin.

Activate your account

Confirm your email, set a password and configure your instance.

Add licenses and test

Add demo users to your account and sample our training

Upgrade to a full account

If you like what you see you can buy it straight from the website.